book

Asterisk: The Definitive Guide, 5th Edition

by Jim Van Meggelen, Russell Bryant, Leif Madsen

June 2019

Intermediate to advanced

412 pages

11h 4m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Joshua Colp (Senior Software Developer, Sangoma/Digium)Dan Jenkins (Founder, Nimble Ape Ltd)Joyce Wilmot (Senior Web Developer)Matt Florell (Founder, VICIdial)Matt Fredrickson (Director of Asterisk Engineering, Sangoma/Digium)
AudienceSoftwareConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments from Jim Van Meggelen
Asterisk and VoIP: Bridging the Gap Between Traditional and Network TelephonyThe Zapata Telephony ProjectMassive Change Requires Flexible TechnologyAsterisk: The Hacker’s PBXAsterisk: The Professional’s PBXThe Asterisk CommunityAsterisk’s Discourse-Based Community SiteThe Asterisk Mailing ListsAsterisk Wiki SitesThe IRC ChannelsConclusion
ModulesApplicationsBridging ModulesCall Detail Recording ModulesChannel Event Logging ModulesChannel DriversCodec TranslatorsFormat InterpretersDialplan FunctionsPBX ModulesResource ModulesAdd-on ModulesTest ModulesFile StructureConfiguration FilesModulesThe Resource LibraryThe SpoolLoggingThe DialplanHardwareAsterisk VersioningConclusion
Linux InstallationChoosing Your PlatformVirtualBox StepsLinux (OpenStack) HostDependenciesAsterisk InstallationDownload and PrerequisitesCompiling and InstallingInitial ConfigurationSELinux TweaksFirewall TweaksFinal TweaksValidating Your New Asterisk SystemCommon Installation ErrorsSome Final Configuration NotesSample Configuration Files for Future ReferenceThe Asterisk Shell Commandsafe_asteriskConclusion
The Inconvenience of SecuritySecuring SIPSubscriber NamesSecure SIP SignalingSecuring MediaEncrypted RTPConclusion
Telephone Naming ConceptsHardphones, Softphones, and ATAsConfiguring AsteriskHow Channel Configuration Works with the Dialplanchan_pjsipTesting to Ensure Your Devices Have RegisteredA Basic Dialplan to Test Your DevicesUnder the Hood: Your First CallConclusion
Dialplan SyntaxContextsExtensionsPrioritiesApplicationsThe Answer(), Playback(), and Hangup() ApplicationsA Basic Dialplan PrototypeA Simple DialplanHello WorldBuilding an Interactive DialplanThe Goto(), Background(), and WaitExten() ApplicationsHandling Invalid Entries and TimeoutsUsing the Dial() ApplicationUsing VariablesPattern MatchingIncludesConclusion
The Basics of TrunkingFundamental Dialplan for Outside ConnectivityThe PSTNTraditional PSTN TrunksVoIPNetwork Address TranslationPSTN Termination and OriginationConfiguring SIP TrunksEmergency DialingConclusion
The voicemail.conf FileAn Initial voicemail.conf FileThe [general] SectionThe [zonemessages] SectionMailboxesVoicemail Dialplan IntegrationThe VoiceMail() Dialplan ApplicationThe VoiceMailMain() Dialplan ApplicationStandard Voicemail KeymapCreating a Dial-by-Name DirectoryVoicemail to EmailVoicemail Storage BackendsLinux FilesystemIMAPMessage Storage in a DatabaseConclusion

Devices External to the Asterisk ServerPSTN Connectivity, DAHDI, Digium Cards, and Analog PhonesDAHDI DriversInternationalization Within AsteriskCaller IDLanguage and/or Accent of PromptsTime/Date Stamps and PronunciationConclusion—Easy Reference Cheat Sheet
Expressions and Variable ManipulationBasic ExpressionsOperatorsDialplan FunctionsSyntaxExamples of Dialplan FunctionsConditional BranchingThe GotoIf() ApplicationTime-Based Conditional Branching with GotoIfTime()GoSubDefining SubroutinesReturning from a SubroutineLocal ChannelsUsing the Asterisk DatabaseStoring Data in the AstDBRetrieving Data from the AstDBDeleting Data from the AstDBUsing the AstDB in the DialplanHandy Asterisk FeaturesConferencing with ConfBridge()Handy Dialplan FunctionsCALLERID()CHANNEL()CURL()CUT()IF() and STRFTIME()LEN()REGEX()STRFTIME()Conclusion
features.confThe [general] SectionThe [featuremap] SectionThe [applicationmap] SectionApplication Map GroupingParking and PagingCall ParkingPaging (aka Public Address)Places to Send Your PagesZone PagingAdvanced ConferencingVideo ConferencingConclusion
Creating a Simple ACD QueueQueue MembersControlling Queue Members via the CLIDefining Queue Members in the queue_members TableControlling Queue Members with Dialplan LogicAutomatically Logging Into and Out of Multiple QueuesAdvanced QueuesPriority Queue (Queue Weighting)Queue Member PriorityChanging Penalties Dynamically (queuerules)Announcement ControlOverflowUsing Local ChannelsQueue Statistics: The queue_log FileConclusion
Device StatesChecking Device StatesExtension States Using the hint DirectiveHintsChecking Extension StatesSIP PresenceUsing Custom Device StatesConclusion
An AA Is Not an IVRDesigning Your AAThe GreetingThe Main MenuTimeoutInvalidDial by ExtensionBuilding Your AARecording PromptsThe DialplanDelivering Incoming Calls to the AAIVRConclusion
Your Choice of DatabaseManaging DatabasesTroubleshooting Database IssuesSQL InjectionPowering Your Dialplan with func_odbcA Gentle Introduction to func_odbcGetting Funky with func_odbc: Hot-DeskingUsing RealtimeStatic RealtimeDynamic RealtimeStoring Call Detail RecordsDatabase Integration of ACD QueuesStoring Dialplan Parameters for a Queue in a DatabaseWriting queue_log to DatabaseConclusion
Components of an IVRIVR Design ConsiderationsAsterisk Modules for Building IVRsCURL()func_odbcAGIAMIARIA Simple IVR Using CURL()The DialplanA Prompt-Recording IVR FunctionSpeech Recognition and Text-to-SpeechText-to-SpeechSpeech RecognitionConclusion
Call FilesYour First Call FileNotes About Call FilesAMI Quick StartAMI over TCPAMI over HTTPConfigurationmanager.confhttp.confProtocol OverviewMessage EncodingAMI over HTTPExample UsageOriginating a CallRedirecting a CallDevelopment FrameworksConclusion
Quick StartAGI VariantsProcess-Based AGIFastAGI—AGI over TCPAsync AGI—AMI-Controlled AGIAGI Communication OverviewSetting Up an AGI SessionCommands and ResponsesEnding an AGI SessionExample: Account Database AccessDevelopment FrameworksConclusion
ARI Quick StartBasic Asterisk ConfigurationTesting Your Basic ARI EnvironmentWorking with Your ARI Environment Using SwaggerThe Building Blocks of ARIRESTWebSocketStasisFrameworksari-py (and aioari) for Pythonnode-ari-clientAsterNET.ARIari4javaphpariaricppasterisk-ari-clientConclusion
The Browser as a TelephonePreliminary KnowledgeConfiguring Asterisk for WebRTCCyber Mega PhoneMore About WebRTCConclusion
logger.confReviewing Asterisk LogsLogging to the Linux syslog DaemonVerifying LoggingLog RotationCall Detail RecordsCDR ContentsDialplan Applicationscdr.confBackendsExample Call Detail RecordsCaveatsChannel Event LoggingConclusion
Scanning for Valid AccountsAuthentication WeaknessesFail2banInstallationConfigurationEncrypted MediaDialplan VulnerabilitiesSecuring Asterisk Network APIsOther Risk MitigationResourcesConclusion—A Better Idiot
The Telephone Is Dead (Except When It’s Not)Communications OverloadThe Problems with Open Source DevelopmentThe Future of AsteriskWebRTCThe Future of Telephony

Content preview from Asterisk: The Definitive Guide, 5th Edition

Chapter 4. Certificates for Endpoint Security

We only need to be lucky once. You need to be lucky every time.
The IRA to Margaret Thatcher, after a failed assassination attempt

If you really want to do something, you’ll find a way. If you don’t, you’ll find an excuse.
Jim Rohn

The Inconvenience of Security

VoIP security can be regarded as two separate (but interconnected) challenges:

Securing a system against toll fraud (which is generally the goal of SIP-based intrusion attempts)
Securing a system against call interception (which relates to privacy, as well as improving toll fraud defenses)

There are of course many other aspects to the security of your system, but most of those are general security concepts, not specific to VoIP.

In this chapter we will focus on an area of security that is too often overlooked, namely the generation and application of certificates and keys in order to secure communication between endpoints and your system. In SIP communications, encryption is optional (and, unfortunately, not used most of the time). In WebRTC, it is required.

This chapter should by no means be considered the final word on securing your Asterisk system; there will be more covered in Chapter 22. We do hope, however, that it will provide you with a solid foundation on which to build a secure solution.

Securing SIP

If you build any sort of server that is exposed to the internet, and wait for a few short hours after powering it up, you will notice that the system will have already attracted probes ...